The views expressed by contributors are their own and not the view of The Hill

Congress (finally) sets sights on new-age cyber invasion


Unless you’ve been hanging out at Mar-a-Lago, playing round after round of “Fake News or Not,” you probably remember the Mirai botnet attack last year. It was a distributed denial of service (DDoS) attack that exploited vulnerabilities in digital cameras and DVRs. 

Granted that may not be the most effective way to jog your memory. Try this: Remember that day when Twitter, PayPal, Amazon, Airbnb, Spotify, HBO, Netflix, Reddit, CNN and a host of other sites stopped working last fall? That was the Mirai botnet DDoS attack. 

{mosads}There was a subsequent discovery that is even more disconcerting. Mirai worked on the principle — really, it’s a fact — that most IoT users are not particularly cybersecurity savvy. Default passwords on cameras and routers are a pain to reset, and who’s really going to hack them anyway? After the Mirai DDoS attack, more people started to do it. And that was a pretty good solution. That is, until a few months ago. 

 

Mirai 2.0, known as Persirai, doesn’t need to crack passwords. It doesn’t rely on bad consumer cyber hygiene. This far more aggressive exploit takes advantage of a zero-day vulnerability that allows a hacker to steal the password, no matter how good it is, from a camera — by accessing the file that stores it.

Say good-bye to the false sense of security a long and strong password used to provide.

Nowhere to Hide

The fact is, no matter how good your defenses, what is considered “cyber-secure” changes more than the object of a child’s attention at a candy store. What looks good today, could very well spell doom tomorrow. Increasingly, we should take as a starting point that cybersecurity compromises are the third certainty in life. 

For years now, the cybersecurity community has been calling for legislation that addresses the big picture, and finally we’re finally starting to see some action. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is a step in the right direction.

What follows is technical. While you don’t need to understand it, lawmakers have finally come to the realization that you can’t get security right without listening to experts with experience on the front lines of the cyber war. It can’t be created in a vacuum. 

The act would require network segmentation and micro-segmentation and system level controls that include operating system containers and micro-services, multi-factor authentication and gateways that can stop a DDoS attack launched by IoT devices. Devices will have to be compliant with a high standard of security. 

It seems with the introduction of this bipartisan bill, lawmakers have finally begun in earnest what will be a decades-long process of figuring out how to make our nation safe from the threat of hacking in all its many forms.

The proposed legislation calls for a public-facing database of IoT manufacturers who claim limitations of liability (the you-can’t-get-me guys) and a public database of devices and manufacturers of devices that utilize security that is no longer supported.

The bill even seems to reward innovation in the area of cybersecurity: “If an existing third-party security standard for Internet-connected devices provides an equivalent or greater level of security to that described in paragraph (1)(A), an executive agency may allow a contractor to demonstrate compliance with that standard.”

In other words, “Please feel free to do cybersecurity better than we require, and while you’re at it please share your methodology with us.”

Devices with limited capabilities, meaning essentially that they cannot be lassoed into a botnet, are exempt, but devices that aren’t working properly may have to be replaced by the manufacturer. This bill doesn’t mess around.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 also includes a crucial measure that we’ve wanted for a couple years now: that devices not include “fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.” That means manufacturers cannot make available devices that are vulnerable to Mirai-like exploits where easy-to-crack passwords mixed with lax consumer behavior can wreak havoc. 

Unfortunately, it doesn’t address zero-day vulnerabilities, and that’s a big problem. One of the most forward-thinking initiatives the government could, and should, take is to incentivize white-hat hackers to find problems before they are exploited. Too often, companies ignore, or worse, try to hide the discovery of vulnerabilities. Rewarding the findings of these quality-control entrepreneurs — call them hackers, if you must — simply makes sense. 

Whether the problem be garden-variety rogues or rogue dictators — or even the would-be greater superpowers of Russia and China — make no mistake: We’re in crisis mode. This bill hopefully is the first of many to get us where we need to be as a nation.

Adam K. Levin is the chairman CyberScout LLC, a provider of identity protection solutions, identity theft recovery services, breach services and data risk management solutions.


The views expressed by contributors are their own and not the views of The Hill.